Help, how do i delete DNSchanger?

Alexa22 wrote:

does anyone here know how to check or change the DNS on a speedstream 5200 router via codetel? (which is my ISP)

It's been awhile, so perhaps everything is working now, but just in case you still suspect your router, I would contact codetel and ask them to take care of it from their end. Many ISP's are now changing the login info to keep users from tinkering with them, so you may not be able to change it yourself.

Hi. I know this is old news for some of you but I've only in the last week started having problems with this. I have deleted the DNS Changer malware with MacScan but I my computer is still infected. Reading this thread that means my router is still affected by the malware.

Could someone please tell me how to change the DNS servers for my iMac G4 Power PC? The options in Network are not the same as in newer Mac machines. It tells me what my IP address is and the router address. Those numbers are printed and cannot be changed or grayed out and they are not one of the rogue DNS servers. The DNS server boxes that can be typed in are empty.

Now I searched the internet to find out how to check what DNS servers my machine is using. I put a command into Terminal (Utilities) and 2 servers came up which are part of the rogue servers. I spoke to my ISP provider and was told that because my router is using DHCP my router cannot be infected, so obviously they have no clue what I'm talking about.

I just couldn't get on here last night - not sure if that's the effects of the malware stopping me from logging in and I'm at an internet cafe right now.

Any help would be appreciated. Thanks.

Log in to your router, and check it's DNS settings. Your router might have been using DHCP, and then was changed by the malware. The malware doesn't "infect" your router-- it just guesses the username and password to your router and if it gets it right, it changes the dns settings. If your router's dns settings were changed, and you set them to good dns servers, be sure to change the username and password on your router to something more difficult to guess.

What version of OS X do you have on your Mac? Can try to find info on how to manually set the dns settings on your mac. You can manually type in the IP addresses of honest dns servers in your computer (where you said the DNS server boxes are empty) that will make your computer use the honest ones instead of the ones it gets by dhcp from your router. If your computer is the only internet device in your house, then that will work just fine. If you have other internet devices in your house, you really want to get that router fixed. You should try to figure out what device was originally infected... if it wasn't your Mac, then there is (or was) some other computer on your network that was infected with the virus.

Thanks for replying UUGeekGrl.

I have a Power PC iMac G4 10.4.11. So it's about 7 or 8 years old. My machine is using DHCP.

I'm not able to check my router. I've got a Motorola Surfboard Cable Modem SB5101E. It has no manual reset. I got in touch with Motorola, was given 3 numbers to call for Motorola Solutions and Mobility. They both said they couldn't help, that they don't deal with that product!

I called my ISP and got the servers that they use and I put them into the empty boxes in Network and I used the sudo nano /etc/resolv.conf command in Terminal to delete the rogue servers, which are now 3rd and 4th in line, then write it out to save the changes and exit. But after I restart my Mac and check the servers with cat etc/resolv.conf the rogue servers are back again and cpc10-dals18-2-0-cust331:~ has been added below them. I don't know if that's an error code or what it's telling me.

I've been reading about sudo crontab -l to check what's in there and sudo crontab -e to edit and delete. Do you think that will work? The FBI will supposedly be shutting down the rogue servers on 9th July so maybe I could just leave it now as I've put my ISPs servers on there now but I don't want to take the risk or leave the rogue ones on my machine.

The technical dept at my ISP don't seem to have a clue but I could call them again. They gave me the servers they use but she didn't want to walk me through how to actually change them on my machine and said she couldn't do it. Couldn't get me off the phone fast enough.

See my responces to similar situation here.

Feisty411 wrote:

I'm not able to check my router. I've got a Motorola Surfboard Cable Modem SB5101E. It has no manual reset.

Try...

RECONFIGURE:

1. Open the browser.

2. Access the router, usually with http://192.168.0.1

3. Login to the router with the Username as "admin" and Password as "password" (please note that the Username and Password are case sensitive).

4. Make any necessary changes.

5. Click Apply.

6. Once it updates the settings then power off the modem and the router. Power on the modem and wait for the lights, then power on the router.

Courcoul gave you the best advise, you need to change your DNS settings to that of your ISP or Open DNS and then flush your DNS. I find that OSX has a real rough time cleaning up it's DNS records. I run DNS server at my office and my mac doesn't pick up on DNS changes like my PCs

MadMacs0, I don't have a separate modem and router just the Cable Modem. I've tried that router address already and it doesn't work. Says it got a problem finding the page but I'll check out your link for your responses to a similar situation. Thanks.

itsamacthing, I did already try flushing my DNS but I've been working on this thing for so long, over a week now that I can't remember if it was before or after I put my ISP's servers back in. So I'll definitely try that again and I'll have a look at courcoul's advice again too. Thanks.

I'll check out UUGeekGrl's response if she replies and when it is finally solved it I'll post back in case anyone else ever gets stuck.

Hi there

This is a very useful thread.

I also had the DNSChanger warning come up on Google - I still do - and I ran MacScan, DNS Changer Removal Tool (which has never found it) and so on. And the website goes red for me and Google still moans that something is wrong. Even Facebook gave me a message along those lines today.

However, I am somewhat at a loss.

Firstly, I am on Mac OS 10.4.11 on a MacBook. When I go to Network in my Preferences, and when I select Airport, there is no DNS option for me to click on. For this reason, I cannot carry out the advice given here.

There is, however, a box with DNS Servers when I look at the TCP/IP settings using DNCP to confingure my IPv4 settings. That said, the box listing DNS Servers is empty... So I am not sure what to do...

Secondly, when I enter Courcoul's "dscacheutil -flushcache" command into Terminal, I get this response: "-bash: dscacheutil: command not found". What does this mean? (I know what it means - but why does it not work? Is it because I am on a different OS?)

Thirdly, when I enter the "cat /etc/resolv.conf" command into Terminal (which I don't understand, but I can follow instructions to the letter), I get these details appear:

nameserver 85.255.113.148

nameserver 85.255.112.26

Now, this is where I sound like a moron. I understand from UUGeekGrl that these are both listed servers that are bad. But what does this mean? Is there anything I can do? Are these not the servers that my ISP uses (I use BT in the UK), or is that my ISP's servers are corrupted? Either way, I do not know how to change this because of my first query above (no DNS option in Preferences > Network).

Fourthly, I have been moving around a lot recently - but this issue comes up on my machine regardless of whose internet I am using. For example, I am not at home now but staying with a friend.

This prompts another stupid question: when I am using someone else's wifi, does the router info given on the TCP/IP page of my Preferences change - or is that consistently the one that I use at my own home? I do not want to change someone else's password when all I want to do is change my own.

You guys have been amazingly helpful to the others on this thread. I would be truly grateful if someone could help me out - by giving me a bit of a lesson, I guess. Sorry for being so ignorant!

Finally!! It's sorted! 🙂

I'd like to thank everyone for their advice and help on this. It was much appreciated. In the end it was using crontab that did it for me and in case anyone new has a problem with this in the future, this was the process:

Go into Utilities in Applications and open the Terminal app

Type cat /etc/resolv.conf to check what servers you have

To delete the rogue servers from here type sudo nano /etc/resolv.conf.

Enter your password.

Delete rogue servers. You have to scroll with your cursor to get to the end of the line and then delete from there.

Press Control - O to write out and save changes

Press Control - X to exit.

Restart machine.

This actually didn't work for me personally. So after more searching, help and advice, I got this process:

Go into Terminal

Type sudo crontab -l (That's the letter ell) This shows what entries are in the directory. In mine, I saw the malware script which showed up as /Library/Internet Plug-Ins/QuickTime.xpt. (Like what you had MadMacs0). If you have more than the malware entry in there, you will want to edit and delete. To do this for a single line:

Type sudo crontab -e.

Use arrow key to navigate to line. I scrolled to end of line.

Type dd to delete the line

Type wq and press Return to write out the file and quit.

I had only the one entry and that was the malware script so I was able to use sudo crontab -r which will delete everything in there, so you have to be careful with this command. After that I also flushed the cache. For Tiger you go into Terminal and type lookupd -flushcache. This is like a reset. Two extra servers showed up and I assume they are the original servers that were there - which means that when I called my ISP to ask for the servers they used, they gave me 2 different ones from the original. Whatever.

I restarted my machine and the google alert was gone. I checked out the site that tells you if you're still 'infected' and the background was green. I'm clear.

So even though I had deleted the malware and the rogue DNS servers, because the malware script was still on my machine, the rogue servers kept coming back and my machine kept being told it was 'infected.'

Thanks everyone!

Hi wjrcbrown.

See my post above. I have a desktop iMac which is also Tiger. Courcoul's flush command is for OS X 10.5 and above, I think. There is a different command that I found specifically for Tiger. It's in my post above. Also Tiger's Network is diffrent from newer machines. We don't have a DNS button. I had empty boxes too. I was advised to type the servers into the empty boxe. I rang my ISP and they gave me the servers they use and I typed it into the box. When I checked it by using cat /etc/resolv.conf, I found that the servers I had typed into the box were now in first and second position and the 2 bad servers were below them.

nameserver 85.255.113.148

nameserver 85.255.112.26

These are definitely bad servers, put there by the DNS Changer trojan and your computer is using them instead of the ones provided by BT. Either ring BT to get the servers they use or use OpenDNS : 208.67.222.222 and 208.67.220.220 or Google DNS: 8.8.8.8 and 8.8.4.4. It's up to you.

I used MacScan to get rid of the trojan. I also have the DNS Changer Removal Tool. When I run it, it says I don't have the trojan (and I don't) but the script was still in the 'crontab root' thingy. So you probably have to get rid of that.

Feisty 411 (and others)

Cheers for that.

All seems to work okay - until typing in the wq and hitting Return bit. The w prompts the clunky 'retard' sound that the Mac reserves for people like me, the q prompts nothing, and the return provokes the clunky 'retard' sound, too.

Then I have to quit - which makes me Terminate the process - which means it is still there next time I enter Terminal.

I also found that the first one that did not work for you did not work for me either...!

Anyone got any ideas?

wjrcbrown wrote:

when I enter Courcoul's "dscacheutil -flushcache" command into Terminal, I get this response: "-bash: dscacheutil: command not found". What does this mean? (I know what it means - but why does it not work? Is it because I am on a different OS?)

Yes, the command for Tiger is

lookupd -flushcache

but this is one of the last steps you should take.

The first thing to do is get rid of the Trojan.

Check is for the presence of the root cron job. To do this, open Terminal (in /Applications -> Utilities) then copy and paste this command:

sudo crontab -l

followed by the return key.

Enter your admin password when asked, and Terminal will then display any cron tasks for root. Typically this will be blank. If you see this output, though, it means you’ve got the malware:

* * * * * "/Library/Internet Plug-Ins/<TrojanName>">/dev/null 2>&1

where <TrojanName> will be "plugins.settings", "AdobeFlash", "QuickTime.xpt" or perhaps something else.

If it says anything else, come back here for guidance. Otherwise go back to Terminal, copy and paste

sudo crontab -r

followed by return and your admin password if asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message “crontab: no crontab for root.”

Now, in the Finder, navigate to /Library -> Internet Plug-Ins, and delete the <TrojanName> file identified by the crontab. Empty the trash. This deletes the tool that sets the rogue DNS Server information.

Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply. Since you said there are no entries there, this may not be necessary.

Now run

lookupd -flushcache

Reboot your Mac.

Woo hoo! MadMacs0, you are a star and a hero. Thanks to you and Feisty411...!!!

I am still concerned as to why the wq business did not work - but nonetheless the crontab-r method worked well. Google reports nothing. And the DCWG site says all clear...

So fantastic news - and thank you very much once again!

wjrcbrown wrote:

All seems to work okay - until typing in the wq and hitting Return bit.

Don't worry about editing the file, that will all get sorted out after you have removed the Trojan, etc.